The DUAA is a new Act of Parliament that updates some laws about digital information matters. The changes will be phased in between June 2025 and June 2026. We have information that will help your organisation comply with the changes, most of which offer you an opportunity to do things differently, rather than needing you to make specific changes to comply with the law.

What You Can Do Differently

The DUAA might help you innovate in areas such as: 

1.  Research provisions: it makes it clearer when you can use personal information for scientific research, including commercial scientific research. It clarifies that people can give ‘broad consent’ to an area of scientific research.

2. Privacy notices: it allows you to re-use people’s personal information for scientific research without giving them a privacy notice, if that would involve a disproportionate effort. Remember to protect their rights in other ways and still explain what you’re doing by publishing the notice on your website.

3.  Automated decision-making: it opens up the full range of reasons, or ‘lawful bases’, that you can rely on when you use people’s personal information to make significant automated decisions about them. This doesn’t apply to special category data, which is more protected.

4. Cookie rules: it allows you to set some types of cookies without having to get consent, such as those you may use to collect information for statistical purposes and improve the functionality of your website. 

How DUAA Makes Things Easier 

1. New ‘recognised legitimate interests’ lawful basis: when you use personal information for certain ‘recognised legitimate interests’, it removes the need for you to balance the impact on the people whose personal information you use against the benefits arising from that use. 

2. Disclosures that help other organisations perform their public tasks: it allows you to give personal information to organisations such as the police, without having to decide whether that organisation needs the information to perform its public tasks or functions.

3. Assumption of compatibility: it allows you to assume that some reuses of personal information are compatible with the original purpose for which it was collected, without having to conduct a compatibility test.

4. ‘Soft opt in’ for charities: if you’re a charity, it allows you to send electronic mail marketing to people whose personal information you collect when they support, or express an interest in, your work, unless they object.

5. Subject access requests (SARs): it makes it clear that you only have to make reasonable and proportionate searches when someone asks for access to their personal information.

6. Making things clearer: it improves the way the law is written and structured to make it easier for you to follow and apply, but without materially changing how you can use personal information.

1. Children and online services: If you provide an online service that is likely to be used by children, the DUAA explicitly requires you to take their needs into account when you decide how to use their personal information.

2. Data protection complaints: if you don’t already do so, the DUAA requires you to take steps to help people who want to make complaints about how you use their personal information, such as providing an electronic complaints form. You also have to acknowledge complaints within 30 days and respond to them ‘without undue delay’.